{"id":"CVE-2025-21702","summary":"pfifo_tail_enqueue: Drop new packet when sch-\u003elimit == 0","details":"In the Linux kernel, the following vulnerability has been resolved:\n\npfifo_tail_enqueue: Drop new packet when sch-\u003elimit == 0\n\nExpected behaviour:\nIn case we reach scheduler's limit, pfifo_tail_enqueue() will drop a\npacket in scheduler's queue and decrease scheduler's qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler's qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\n\nWeird behaviour:\nIn case we set `sch-\u003elimit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the 'drop a packet' step will do nothing.\nThis means the scheduler's qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler's qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\n\nThe problem is:\nLet's say we have two qdiscs: Qdisc_A and Qdisc_B.\n - Qdisc_A's type must have '-\u003egraft()' function to create parent/child relationship.\n   Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n - Qdisc_B is configured to have `sch-\u003elimit == 0`.\n - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.\n\nEnqueue packet through Qdisc_A will lead to:\n - hfsc_enqueue(Qdisc_A) -\u003e pfifo_tail_enqueue(Qdisc_B)\n - Qdisc_B-\u003eq.qlen += 1\n - pfifo_tail_enqueue() return `NET_XMIT_CN`\n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` =\u003e hfsc_enqueue() don't increase qlen of Qdisc_A.\n\nThe whole process lead to a situation where Qdisc_A-\u003eq.qlen == 0 and Qdisc_B-\u003eq.qlen == 1.\nReplace 'hfsc' with other type (for example: 'drr') still lead to the same problem.\nThis violate the design where parent's qlen should equal to the sum of its childrens'qlen.\n\nBug impact: This issue can be used for user-\u003ekernel privilege escalation when it is reachable.","modified":"2026-04-03T13:14:40.526380Z","published":"2025-02-18T14:37:43.429Z","related":["ALSA-2025:20095","ALSA-2025:20518","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01965-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:01983-1","SUSE-SU-2025:02000-1","SUSE-SU-2025:02099-1","SUSE-SU-2025:02264-1","SUSE-SU-2025:02308-1","SUSE-SU-2025:02320-1","SUSE-SU-2025:02321-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:02537-1","SUSE-SU-2025:02601-1","SUSE-SU-2025:02602-1","SUSE-SU-2025:02604-1","SUSE-SU-2025:02606-1","SUSE-SU-2025:02607-1","SUSE-SU-2025:02608-1","SUSE-SU-2025:02610-1","SUSE-SU-2025:02611-1","SUSE-SU-2025:02618-1","SUSE-SU-2025:02619-1","SUSE-SU-2025:02627-1","SUSE-SU-2025:02632-1","SUSE-SU-2025:02636-1","SUSE-SU-2025:02637-1","SUSE-SU-2025:02638-1","SUSE-SU-2025:02647-1","SUSE-SU-2025:02648-1","SUSE-SU-2025:02652-1","SUSE-SU-2025:02673-1","SUSE-SU-2025:02676-1","SUSE-SU-2025:02687-1","SUSE-SU-2025:02688-1","SUSE-SU-2025:02689-1","SUSE-SU-2025:02691-1","SUSE-SU-2025:02693-1","SUSE-SU-2025:02697-1","SUSE-SU-2025:02698-1","SUSE-SU-2025:02704-1","SUSE-SU-2025:02708-1","SUSE-SU-2025:02710-1","SUSE-SU-2025:02858-1","SUSE-SU-2025:02942-1","SUSE-SU-2025:20408-1","SUSE-SU-2025:20413-1","SUSE-SU-2025:20419-1","SUSE-SU-2025:20421-1","SUSE-SU-2025:20568-1","SUSE-SU-2025:20569-1","SUSE-SU-2025:20570-1","SUSE-SU-2025:20572-1","SUSE-SU-2025:20573-1","SUSE-SU-2025:20574-1","SUSE-SU-2025:20575-1","SUSE-SU-2025:20576-1","SUSE-SU-2025:20578-1","SUSE-SU-2025:20579-1","SUSE-SU-2025:20580-1","SUSE-SU-2025:20581-1","SUSE-SU-2025:20582-1","SUSE-SU-2025:20583-1","SUSE-SU-2025:20584-1","SUSE-SU-2025:20610-1","SUSE-SU-2025:20611-1","SUSE-SU-2025:20612-1","SUSE-SU-2025:20613-1","SUSE-SU-2025:20614-1","SUSE-SU-2025:20615-1","SUSE-SU-2025:20616-1","SUSE-SU-2025:20620-1","SUSE-SU-2025:20621-1","SUSE-SU-2025:20622-1","SUSE-SU-2025:20623-1","SUSE-SU-2025:20624-1","SUSE-SU-2025:20625-1","SUSE-SU-2025:4123-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21702.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21702.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21702"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"57dbb2d83d100ea601c54fe129bfde0678db5dee"},{"fixed":"78285b53266d6d51fa4ff504a23df03852eba84e"},{"fixed":"7a9723ec27aff5674f1fd4934608937f1d650980"},{"fixed":"a56a6e8589a9b98d8171611fbcc1e45a15fd2455"},{"fixed":"020ecb76812a0526f4130ab5aeb6dc7c773e7ab9"},{"fixed":"79a955ea4a2e5ddf4a36328959de0de496419888"},{"fixed":"e40cb34b7f247fe2e366fd192700d1b4f38196ca"},{"fixed":"b6a079c3b6f95378f26e2aeda520cb3176f7067b"},{"fixed":"647cef20e649c576dff271e018d5d15d998b629d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21702.json"}}],"schema_version":"1.7.5"}